When i click to note function and commend with payload "2"><img src=x onerror=alert(String.fromCharCode(88,83,83));>"

After save note will pop up such as image bellow.

Any one when access to url https://demo.krayincrm.com/krayin-42-112-15-238/admin/leads/view/24, pop up will show cho this user.

Recommended: You should validate input for note, don't allow insert special characters or html encode special characters.